Data Privacy for List-based Remarketing

Written by
Luke Marthinusen

Data Privacy for List-based Remarketing

In this article, I explore the crucial balance between effective digital marketing and ethical data practices, focusing on compliance in personal data usage, especially list-based remarketing.

I'll discuss the importance of clear privacy policies, transparent cookie consent, and ethical data handling on ad platforms like Meta and Google Ads, which use hashing to protect user privacy.

Additionally, we address the challenges of managing data privacy in a fragmented digital ecosystem and how integrated systems like HubSpot and Salesforce can help maintain user preferences across channels. 

What is remarketing?

Remarketing is a digital marketing strategy that targets ads to individuals who have previously interacted with a brand or website. It involves collecting data on user behaviour through tools like cookies or website pixels and then using this information to display personalised ads to these users as they browse other sites online.

This technique effectively recaptures potential customers' attention, increasing the likelihood of conversions by presenting tailored content that resonates with their demonstrated interests.

Remarketing campaigns often involve collaboration with third-party platforms like Google, Facebook, and X, and require adherence to privacy laws and user consent protocols.

Why is data privacy a concern with remarketing?

Data privacy is a concern with remarketing because it involves collecting and using personal data, such as user behaviour and interactions, often through cookies, tracking pixels and forms. This data is then shared with third-party platforms like Google, Facebook, and Twitter for targeted advertising.

Such practices raise privacy issues, particularly under regulations like GDPR (EU), CCPA (California), and POPIA (South Africa), which mandate user consent and transparency in data usage.

Users may not be fully aware of, or have consented to the extent of tracking and data sharing, making it imperative for businesses to clearly disclose their data practices and offer opt-out options.

Why data privacy is especially concerning around List-based remarketing

With list-based remarketing, we literally upload a spreadsheet with rows and rows of personal data to a third party like Google Ads. This form of remarketing is highly specific and accurate. As such, we must be very careful how we use it and very specific with our users on how we might use their personal data. 

With the phasing out of third-party data usage by Google Chrome (more on this below), first-party data is key to present-day ad targeting.

Let's unpack first-party data.

Considering first-party and third-party data

First-party data is information an organisation collects from its audience or customers, such as user behaviour on its website, purchase history, or data from form submissions and CRM systems. It's gathered through direct interactions and is owned by the organisation.

Third-party data, on the other hand, is data collected by entities not directly related to the user, like data brokers or aggregators, and is often purchased or acquired for broader market insights.

Data is predominantly collected with forms, e.g. names and email, or on-site cookies that track interactions like page views and clicks. Or in the course of daily business activities in a CRM system, driving processes like sales and customer service. 

About Google's move away from third-party cookies

Google's move away from third-party cookies has brought first-party data to the forefront due to privacy concerns and regulatory changes. Google has signalled that it will entirely phase out third-party cookie usage in Google Chrome in the second half of 2024.


Third-party cookies, often used to track users across different websites, have raised significant privacy issues, leading to stricter regulations like General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). As a response, Google is phasing out these cookies in favour of more privacy-conscious approaches.

First-party data, being collected directly from an organisation's own audience with their consent, is seen as more privacy-compliant and reliable. It allows businesses to personalise user experiences and target ads effectively while respecting user privacy. This shift encourages a more transparent and ethical approach to data collection and usage, aligning with evolving digital privacy norms.

How to use first-party data for remarketing

So, let's break down how you can use your first-party data to conduct remarketing in a compliant manner.

Step 1: Collect user data

Gather data through direct interactions like website visits, purchases, or form submissions. Ensure transparency and obtain user consent, adhering to privacy laws like GDPR.

This is the most critical touchpoint; I cover it in detail below under 'Compliance for collecting personal data'.

Step 2: List segmentation

Categorise users based on behaviour or preferences. Use this segmentation to tailor marketing strategies and enhance user experience.

Step 3: Ad creation and personalisation

Develop targeted ads that resonate with each user segment. Personalise content based on the collected data to increase relevance and engagement.

Step 4: Upload user data

Securely upload the segmented lists to your advertising platforms. Ensure data is handled and stored in compliance with data protection regulations.

This is another critical touchpoint. I cover this below in the section entitled 'Uploading the segmented lists to your advertising platforms'.

Compliance for collecting personal data

Everything begins and ends with your Privacy Policy, which may include a cookie section, or you may elect to have a separate Cookie Policy. Either way, you need to have a Privacy Policy, and you need to cover how you handle cookies. 

GDPR requires that your privacy policy and use of personal data be written in plain language and not legalese. 

When crafting this section of your Privacy Policy, the initial task is to clarify the concepts of cookies, retargeting, and their associated impacts for your users.

Website forms that gather personal data need to state, at a bare minimum:

By clicking submit, you understand that Company Name will process your personal data in accordance with our Privacy Policy.

  • "By clicking submit" - by taking action
  • "you understand" - the person submitting the form confirms understanding of the implications.
  • "process your personal data" - collecting, organising, storing, modifying, using, publishing, combining, and erasing data.
  • "in accordance with our Privacy Policy" - everything detailed in the privacy policy.

What regions does this apply to?

In a nutshell, if you collect and process data on residents of the EU, UK, Germany, South Africa, and USA (specifically California) - strong privacy laws are in place, and Privacy Policies need to be adequately developed, displayed on the website and be adhered to. 

Where do you need to display your Privacy Policy

1. Cookie popup for cookie consent

A cookie consent popup is a mandatory function for all websites in the GDPR era. It requires all users to consent to the use of cookies on a website at their initial visit. You must link to your Privacy Policy or Cookie Policy. Third-party cookies must be blocked until the user gives consent.

2. Forms

All forms must inform the user that their personal data will be processed upon submission. Secondly, forms should provide a link to your Privacy Policy.

3. Footer

Display a link to your Privacy Policy, which must always be displayed on your website. The preferred location is your footer, which is also always displayed. Most regions' personal data protection laws mandate this if you serve the area. 

What do you need to say about cookies and personal data collection?

If we review the Meta and Google articles linked below, we can summarise the actions they both recommend.

Meta: Cookie Consent Resource

Google Ads: What to include in your privacy policy for your data segments

Thankfully - they both recommend the same actions. Here they are summarised:

1. Consent

Ensure consent is freely given, specific, informed, and unambiguous. In practice, this means obtaining user consent before setting/reading cookies (i.e. Clicking accept on a cookie consent popup)

2. User Control

Provide clear options for users to opt-out or control cookie settings. Inform users that, in some cases, they can refuse the setting of cookies via platforms like YourAdChoicesNetwork Advertising Initiative, and/or on their internet browsers.

3. Transparency

Be upfront about cookie usage, its purposes, and duration. Explain how third-party providers, like Google, Meta, Linkedin and X, use cookies and device IDs to deliver ads based on user interactions.

4. Compliance

Align with GDPR, CCPA, POPIA and other privacy laws in your communication about cookies.

Uploading the segmented lists to your advertising platforms

Here is where things get interesting. We are uploading personal data we've collected to another third-party platform. If we've been clear in our privacy and cookie policies and displayed links to them, we've collected this information compliantly. 

To share this information compliantly with the ad platforms, we must understand what happens to the data once we upload it and how the ad platforms consume and store the data

The ad platforms all use a process called Hashing to encrypt the personal data you share with them.

I won't cover this in detail here for sake of brevity, but will share relevant links to the ad platforms where the full process can be understood. The information changes regularly, and a link to the source is a far safer way to share this information with the reader. I'll cover Meta (Facebook), Google Ads. Info for LinkedIn and X was less

Hashing: How the ad platforms encrypt personal data

Let's start with Meta and use it as a proxy for the other ad platforms. To create a custom audience in Meta, we upload a spreadsheet with as many as 18 different identifier types. These can include:

  • Email address
  • Phone number
  • First name
  • Surname
  • Age
  • City
  • Country
  • Date of Birth
  • Gender
  • And more...

The full details can be found here: Meta: How to format a customer list when creating a custom audience.

But Meta (and the other platforms) do an essential thing to protect your user's identity called Hashing. 

Hashing is a type of cryptographic security method which turns the information in your customer list into randomised code. The process cannot be reversed. 

Below is an excerpt from Meta on their hashing process:


Your hashed information is compared to Meta's own hashed information (Meta's first-party user data). After matching Facebook profiles, a custom audience is created - the hashed information is then deleted.

In this way, none of the personal information you shared via your upload is stored and can not be used for purposes other than this audience. 

Google's process: From list creation to upload and deletion

Google has also hashes the data, but they've taken the time to outline the process of creating the lists, uploading them, and determining what happens to the data after uploading them. Rather than summarise, I have provided the links below if you wish to understand the process in depth. 

Google Ads: About audience segments

Google Ads: Create a customer list

Google Ads: Upload Customer Match data

Google Ads: About the customer matching process

X and LinkedIn

On X, like Google, you can pre-hash your data - but the networks will do it for you regardless.

Below is an excerpt from X on thier hasing process:

Screenshot 2024-04-05 at 12.58.30

X: List Custom Audiences

On LinkedIn, whether you upload a CSV or upload via a Data Integration partner (Eg. Make, Zapier, HubSpot, Salesforce) your email data is hashed before sending it to LinkedIn.

Screenshot 2024-04-05 at 13.07.16

LinkedIn: Data collection and storage for LinkedIn Matched Audiences

The complications of managing data privacy compliantly

Unfortunately, compliance is not easy in practice. Our digital ecosystems are comprised of multiple fragmented technologies. Fragmented technologies that don't actively communicate with each other. 

Does your website set cookies before the 'Accept' is clicked? Most websites don't have this set up properly, and they start sharing data with third parties before Accept is clicked. 

Hypothetical example: You capture the cookie acceptance correctly; how do you merge that with your email subscription data in MailChimp or Constant Contact? How do you merge that with contacts who submitted a form on your website and accepted the data privacy and consent information there? If your systems are not connected, you store these preferences on three separate systems. With a fragmented system, can you be sure the contacts you share with the ad platforms have consented?

This is where the difficulty of managing data privacy in a compliant way.

When you export a list for upload into an ad platform, it can be difficult, or even close to impossible, to create a segmented list that you can be sure contains the privacy preferences your users have instructed.   

Let's not even begin to think about how you would manage Consent withdrawal with this fragmented system. 

I'm not saying it's impossible. It's just hard yards to keep this accurate. And it's only as accurate as your last data export and merge. Which might be last month. 

Systems to help manage data privacy preferences

The only systems I can confirm will do this accurately across all communication channels and websites are HubSpot and Salesforce. A good system with take care of the complexities and remove the need for manual compilation of privacy and subscription preferences. Data privacy is not something you want to leave to chance.

Below, you'll see HubSpot has recently added a feature to enable your contacts to manage their own data alongside their subscription preferences. 

manage contacts data requests


And their documentation is the best in the game, making the complex easy.

Just compare the how-to documentation - I know which system I'd choose to use.

HubSpot: Understand privacy and consent while using HubSpot ads

Salesforce: Get Started with Advertising Audiences

HubSpot outlines exactly what it does with your data. No such luck with Salesforce or other customer management platforms.


Screenshot 2024-04-05 at 13.24.11


Google Ads: They even note the exceptions.

Screenshot 2024-04-05 at 13.24.34

In HubSpot CRM, you can easily filter and create lists to push to the ad platforms. If a user opts out or becomes a customer, HubSpot will automatically remove the contact from the audience. No human interaction is required.

Facebook: Target Facebook ads using HubSpot audiences

Final thoughts

I've outlined the importance of compliance in collecting and using personal data, particularly in list-based remarketing. I've highlighted the need for clear privacy policies, transparent cookie consent mechanisms, and the ethical handling of data uploads to advertising platforms. The use of hashing by platforms like Meta and Google Ads illustrates the efforts made to protect user privacy while enabling targeted marketing.

Lastly, I detailed some of the complexities of managing data privacy compliantly in a fragmented digital ecosystem; and how systems like HubSpot and Salesforce can streamline this process, ensuring that user preferences are respected across all channels.

To summarise, while remarketing is an effective tool for organisations to re-engage with their audience, it must be balanced with a commitment to ethical data practices. We must prioritise user trust by ensuring openness, compliance, and privacy. This method not only protects user data but also improves the trust and reputation of businesses in the digital realm.



This article does not constitute legal advice, nor am I a legal practitioner. It seeks to broadly cover the issues at hand when considering remarketing, data privacy, and cookies. Please seek the advice of a legal professional to craft your policies.  

Recent posts like this


How to Choose a HubSpot Partner in South Africa

Brand Strategy

The Strategic Art Of Typography In Digital Branding


Best CRM Software in South Africa 2024

Brand Strategy

Digital Brand Building: A Helpful Guide To The 4 Major Font Types